Windows 8 Secure Boot: Calm down, Microsoft is simply copying Apple

This site may earn affiliate commissions from the links on this page. Terms of use.

Over the last few days it has emerged that Windows 8 ARM computers, be it tablet, laptop, or possibly even desktop form factor, will be locked down and unable to run any other operating systems. This is in strong contrast to x86 Windows 8 PCs, which Microsoft has mandated must be able to run other operating systems.

If you haven’t been following this fracas since it first started to emerge last year, it’s all to do with UEFI — a long overdue replacement for BIOS — and a feature called Secure Boot. In essence, Secure Boot stops a computer from loading an operating system that hasn’t been signed by the publisher (in this case, Microsoft or an OEM), and its signature added to the computer’s firmware. On an x86 Windows 8 computer, you’ll be able to sign your own operating systems (custom builds for Linux, for example), or disable Secure Boot entirely. On Windows 8 ARM computers, neither of these options will be available: You’ll have official builds of Windows 8, and that’s it.

Now, as you can imagine, tech pundits and open source rabble-rousers alike have been raising hell over this little tidbit. How dare Microsoft lock down its devices! Hasn’t Redmond ever heard of consumer rights? Compu-Global-Hyper-Mega-Net anti-trust lawsuit round two, ding ding! And so on.

Only… have these guys never heard of the iPad? The iPad, too, has a locked bootloader and will not load an unsigned operating system. Ditto the PlayBook, Nook, Kindle Fire, most Galaxy Tabs, and the recently-released Asus Transformer Prime. In all of these cases, the only way you can load a custom, unsigned operating system is by finding a flaw in the firmware.

Furthermore, it’s much the same story when you expand your focus to include other non-PC devices, like the PlayStation 3, Xbox 360, or Nintendo DS; they only run signed code, too.

Beating Apple at its own game

Why all the fuss, then? In my eyes, Microsoft is laying out two very different paths for x86 and ARM Windows 8. The x86 PC will continue to be the omnipresent, ubiquitous jack of all trades — while Windows 8 ARM will follow its Windows Phone 7 cousin (also ARM) into the realms of reliable, rugged, robust appliances. Appliances (like a kitchen, TV, or radio) aren’t particularly flexible, but they do a handful of things very, very well. In the case tablet appliances, they are basically app-executing machines. If the tablet sucks at running apps, has a poor selection of apps, or the general experience of finding, launching, and swiping through apps is unpleasant, the device fails — as we’ve seen with almost every non-iPad tablet.

In short, then, and especially when we factor in the walled garden Windows 8 Store, Microsoft seems to be preparing Windows 8 ARM using an iPad cookie cutter. Considering the iPad’s success, this really shouldn’t be a surprise. Heck, with Windows 8 Metro apps being fully cross-platform — the same apps will work on x86 and ARM machines — Microsoft might even be able to beat Apple at its own game.

On the flip side

I’ve only painted one side of the story, however; a side that depicts a positively pure and just Microsoft. Now it’s time to shade in the darker aspects of Windows 8 ARM’s Hardware Certification Requirements.

You see, mandating Secure Boot is fine — but why does Microsoft then go on to add that Windows 8 ARM devices must not, under any circumstances, have the option of disabling Secure Boot? To put this into perspective, look at Google’s Nexus devices: They have a locked bootloader, but it can be unlocked with developer tools. The Cr-48 — a developer-oriented laptop running Google’s quietly-dying-in-the-corner Chrome OS — has a similar feature called Verified Boot, but it can be disabled using a hardware switch behind the battery (pictured right).

Microsoft could allow for either of these possibilities with Windows 8 ARM devices, but it hasn’t. I’m not entirely sure why, either. It could be a conscious effort to force a wedge between x86 and ARM — but that seems unlikely, given Microsoft’s pained insistence that every Windows 8 computer, irrespective of architecture, is a PC.

It could also be the result of Intel and PC OEMs leaning on Microsoft; locking tablets is just about permissible, but can you imagine the uproar if you couldn’t install Linux on a Windows 8 computer? Vice versa, maybe cellular carriers and OEMs asked Microsoft to force Secure Boot to reduce the number of bricked ARM devices.

Zooming out again, though, there’s a much more important question that remains unanswered: Will we be able to install Windows 8 on other ARM hardware? It’s important to note that these Hardware Certification Requirements are only if OEMs want to build computers with “Designed for Windows 8” stickers on the front. Like Windows 7, you’ll be able to install Windows 8 on any x86 PC — but will I be able to buy or build a blank ARM tablet and install Windows 8 on it?

Tagged In

People should stop bitching about it. ALL of Microsoft’s security measures on their consumer-grade products have been disabled by hackers on their first day of release. I doubt this will be a different situation.

The jailbreak isn’t out because they released the jailbreak before the phone even was sold so Apple blocked the jailbreak. That’s the jailbreakers fault for coming out and saying the device is already jailbroken.

Discit

I think jailbreaking iOS has slowed because of cost benefit. Apple doesn’t support updates on jail broken phones, and almost all of the iOS security issues you hear of are due to jailbreaking creating security holes.
Plus, right or wrong, Appke learns from the hackers and their own customers.
Most of the things people jailbreak for get added to iOS Even the developer SDK came about because Apple hired the first people to hack iOS to help create the public tools.

Cody Beasley

The issue with secure boot is if you have to wipe the drive, and you have a laptop, you end up having to wipe the oem partitions if you want to reinstall windows. And it can even end up making a BIOS loop with the UEFI. My friend was testing out a netbook with Windows 10 on it, and it tried to reinstall to OEM, but when the drive was wiped, it wiped the oem partitions, and that put it into a BIOS loop where it kept restarting, and now the machine’s a brick.

Robert Bradbury

What I find amusing is the current trend of presenting your new gismo by a chemo patient. R.I.P. Jobs!

Pascal Arcanus

I guess the reason is clear: they want to avoid what they see on the PC side: people with computers full of crapware just blame… Windows itself, and switch to Mac / say their Mac is better ( hi boss ;-) ).
If they make unlocking the ARM devices an easy process, people will just use the switch, install crap and say the same.
Anyway, somebody will find a way to make a jailbreak, so people who really want to unlock their device will always be able to. It’s just that MS will clearly not support this (at least publicly).

and who is this? Sebastian is definitely not the person you speculated and I did not know it is possible to put so many insults into a sentence on a professional website. FYI extremetech is not the typical fanboy blog (like engadget etc.).

Because copying Apple, another company that loves to be as monopolizing as possible, is totally not in any way going to hurt market competition.
Also, just because other devices hav done it does not mean it’s alright. There was an uproar about Sony going bakk on letting Linux onto the PS3. It’s people who accept corporations lokking out other options that lets Microsoft get away with this shit and thus maintain such control.

J. Andrew Lanz-O’Brien

The difference is, Windows is a proper operating system, not an appliance operating system like iOS. Windows on x86 and Windows on ARM will be the same, general purpose operating system. Thus, where the iPad can be called an applicance, Windows 8 tablets cannot. Microsoft is forcing OEMs to remove the ability to disable secure boot on a device that CANNOT be called an appliance, a device which really is a computer. Apple is the manufacturer, they can do what they want to their own hardware, but Microsoft is NOT.

Also, saying they’re doing this for security is ridiculous. Why not prevent infection in the first place rather than screwing with infection’s ability to mess with the boot? Don’t forget, there isn’t much malware that affects the boot process. This is clearly just a way for them to remove consumer control and pass it off as a good thing.

I kind of agree with you — but I think this is just the latest move in drawing a line between x86 and ARM Windows 8.

I’m fairly certain that Windows 8 ARM won’t use the Desktop side of things at all — or only once in a blue moon. They’ll just stick to Metro. It’ll be nice to have the option there, but..

Will be interesting to see how Medfield pans out, though. I mean, if it performs as well as ARM chips… you’ll basically have the choice of a locked ARM tablet, or an open x86 tablet. Tough call.

Saad Parekh

” Why not prevent infection in the first place rather than screwing with infection’s ability to mess with the boot?”

Although I agree with your main argument this is plain stupid. The thing is introducing safe boot with UEFI is actually a preventive method that you are insisting on. In that it isnt preventing your general pupose viruses, but very nasty stuf like rootkills. Root-kills specifically affects the boot loader if not for this they would be easily detected and quarantined by any anti-virus program.

Anonymous

The difference as I see it is that on other ARM devices it is the HARDWARE manufacturer that is attempting to lock down the device. Apple locks its hardware, as do many phone and table makers. But Google does not require a locked device on Android.

If I were to guess, I would say this is all about money. Microsoft will likely be severely cutting the per unit license cost of Win8 for tablets in order to remain competitive with the free Android OS. They may also be hoping that Win8 on a tablet might encourage a Win8 upgrade on the desktop. What would happen to that idea if a popular Win8 tablet took off and most of the users reloaded Android or a full copy of Linux on them?

On the desktop, Linux and other OSs do not currently pose a huge a threat on all those OEM loaded Windows PCs, but Microsoft knows a locked device is the only way they can compete on Arm devices. . .

Daniël Westerbeek

In the third paragraph under “On the flip side”, you say “I’m entirely sure why, either.” – I guess you mean that you are nót entirely sure?

In the case of Transformer tablet, it has been said that it will be possible to unlock the tablet but Google Video and Market will be disabled. That is because it will be possible to copy videos and paid applications and Android does not have a DRM like mechanism to limit the usage of copied files.

Ms is not copying Apple, they are not making hardware but rather trying to tie hardware makers up.. Requiring a Switch to allow developer and alternate Operating systems use seems pretty reasonable.. This is a pure power grab trying to lock out alternative while MS still has enough market clout to try to get away with it.

Designer Dragon

NO fuckstick, that isn’t what they did. Years later I enjoy laughing at all the sky is falling morons now that this hasn’t turned out to be an issue at all.

Anonymous

The writer of this article is kinda retarded and doesnt know much aside for just enough to try and bash Microsoft. (BTW – that is exactly how you get promoted to Googles news search engine)

Yes the boot area is probably locked down, thats all.
Im very sure that a VMed session of Linux and other variations can be run VERY EASILY as before. APPLE LOCKS DOWN THEIR OS TO THEIR HARDWARE ONLY !
Thats the difference! Got it Sebastian Anthony ?!!

While Apple has a walled garden, yes WP7 apps have followed suit and are like Apple’s model… HOWEVER – MS doesnt care if you jailbreak it with the chevron break, and load whatever else you want that is not MS certified.

Now saying that, they also dont care what else you install on Windows 8.

So please calm down. The ONLY part of the story thats news is the boot sector – nothing else

Brian Marino

My question about this problem is simple. When they refer to Unauthorized programs are they only speaking about being able to boot up a different operating system? Or will this eventually lead to certain programs that Microsoft deems “Unauthorized” not being able to be loaded onto my computer (within windows). A torrent device or third party MP3 or Video player for example.

How are they copying Apple. I can install and use Mac OSX, Linux and Windows 7 on my mac with no problem… Well, Microsoft they only want you to use Windows 8. THAT’S CRAP, which can make it almost impossible to run Linux on a non-custom PC’s as a Laptop.

I use my desktop computer for everything like a x86 (32 bit). The hardware is capable 64 bit so I run 64 bit OS mostly. I ran the Windows 8 Upgrade Assistant from a 64 bit environment and got,”Secure Boot isn’t compatible with your PC

Your PC’s firmware doesn’t support Secure Boot so you
won’t be able to use it in Windows 8.”
That is confusing because there are 32 bit and 64 bit Release Previews available for download.

Where do Intel 64 bit processors sit in all this? It is not ARM why should I need Secure Boot?

you probably have a bios based and not uefi based motherboard so of course secure boot feature cannot be implemented it does not say you cannot run windows 8 just that you won’t get this feauture. On the rest I think that a solution like a hardware switch would be ideal for the arm platform as it would enable disabling the secure boot whilst at the same time requiring physical presence, excluding any possibility of this being done in an automated software way and of diseminating secure key info in the public knowledge as most open source licenses would require.

Discit

They are so not copying Apple, or if they are, they’re escalating the lockdown 100 fold. Apple locks their own devices they produce. Nobody is saying Microsoft can’t lock down their own tablet. What they’re doing is trying to bully the entire industry of tablet vendors do nobody can do a side by side comparison of the same hardware, or getting actual manufacturers to lock customers in for them.you can run Windows or Lunux on a Mac without an “Apple approved” certificate. If they were only locking their own produced devices that would be one thing, but they want to stifle competition on devices others produce…

Olav Salhus

“Now, as you can imagine, tech pundits and open source rabble-rousers alike have been raising hell over this little tidbit…….The iPad, too, has a locked bootloader and will not load an unsigned operating system.”

Are you saying it is okay because everyone else is doing it?

CrazyonGames

Good post and really helpful. I wanted to test Windows 8 but before that I wanted to check the security of it. I saw another good article in vpswebserver about the security of Windows 8. I think Windows Defender will take the place of most of the third party virus programs

yellowcrash10

“Google’s quietly-dying-in-the-corner Chrome OS”
That was the best part of the article XD
Also, Chrome OS has changed a LOT over the past year. The “dying-in-the-corner” thing doesn’t really apply anymore.

Designer Dragon

Yep, its now the “dead-in-the-corner Chrome OS.”

ginger

Apple builds its own hardware, so who cares. Microsoft makes xbox, so I don’t care about that. But, at this Microsoft doesn’t build computers, so why should they tell me what I can do when I buy someone else’s hardware?

Damien

I would love to get a high-end Nokia device and install Android -KitKat on it.

Anne

I think Microsoft copying Apple strategies is even more reason to get upset. There is a reason the last Apple device I used was the II3 with the floppy floppy disk in the computer room at my middle school. I’ve used anything but Apple specifically for the reason that their computers have too many restrictions and too many compatibility issues and I think they’re just a pain. This has proven out time and time again, the most recent case I can think if is the iMessage disaster. I used Unix for a long time, and then got Windows as well and eventually stuck with Windows. I’d hate to have to do a 180 and go Linux at this point, but I am a little worried that they’re going to make a habit of this kind of thing. I’m hardly a developer, but every now and again I like to take my meager skills out for a spin and I’m really not about paying for a device that likes to tell me no.

Designer Dragon

Open Source butt-hurt. Nothing to see here, folks.

This site may earn affiliate commissions from the links on this page. Terms of use.

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Email

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our
Terms of Use and
Privacy Policy. You may unsubscribe from the newsletter at any time.